Possible Scam: Received an email regarding faulty Unity IAP

LandonC · September 10, 2021, 4:22am

I received an email regarding a flaw in Unity IAP, it does not seem legit but I thought of sharing it here.

Dear Developers,

We are a group of security researchers at The Ohio State University. We recently performed a study to identify whether the in-app purchasing (IAP) of mobile games developed by Unity can be bypassed in mobile games. An IAP can be bypassed if the payment transaction is verified locally by Unity API (in particular UnityEngine.Purchasing.Security.CrossPlatformValidator.Validate), or there is no verification at all. Such an attack can be launched by either repackaging of the game apps, or rooting the phone, or using virtualization apps such as Parallel Space (which can be easily obtained from Google Play and used by attackers).

During our study, however, we found your game(s) are vulnerable to the payment bypassing attack (or playing without paying attack). As responsible security researchers, we would like to disclose our findings to you, and we hope you will patch your game app soon (e.g., validating the payment in your server side, not locally in the game). We will keep this vulnerability confidential for 6 months (note that when the paper is published, attackers will be able to know how to launch the payment bypassing attacks). Here are the detailed information about your vulnerable game(s):

—(package name: ----, version: 2.4U5) used local verification on payment transactions.
—(package name: ----, version: 20) used local verification on payment transactions.

Please let us know if you have any questions.

Best regards,
Chaoshun Zuo

Email came from s3.gameresearch@gmail.com

mgear · September 10, 2021, 4:50am

Are those your games? Sounds like a realistic bug/vuln though…

still bit strange that they didn’t use school email.

LandonC · September 10, 2021, 11:18am

Yeah, those are my games. I believe this is a scam as the versions mentioned are very much outdated. I am using the latest IAP available to me too, so if the IAP is flawed, wouldn’t everyone who uses Unity IAP be affected too?

JeffDUnity3D · September 13, 2021, 8:08pm

We believe the email is well intentioned and likely not a scam. Our IAP receipt validator performs a local checksum and does not validate with Google servers as correctly stated. However, we have not heard of widespread use of the bypass that this researcher has mentioned in actual practice, but it is possible. No validation is ever 100% effective, and we do not make that claim. We are discussing improved server-side receipt validation in a future release. In the meantime, you might consider a service like ChilliConnect or PlayFab to verify receipts server-side. Our documentation is linked below and states:

“Important: While Unity IAP provides a local validation method, local validation is more vulnerable to fraud. Validating sensitive transactions server-side where possible is considered best practice”

LandonC · September 14, 2021, 5:37am

JeffDUnity3D:

We believe the email is well intentioned and likely not a scam. Our IAP receipt validator performs a local checksum and does not validate with Google servers as correctly stated. However, we have not heard of widespread use of the bypass that this researcher has mentioned in actual practice, but it is possible. No validation is ever 100% effective, and we do not make that claim. We are discussing improved server-side receipt validation in a future release. In the meantime, you might consider a service like ChilliConnect or PlayFab to verify receipts server-side. Our documentation is linked below and states:

“Important: While Unity IAP provides a local validation method, local validation is more vulnerable to fraud. Validating sensitive transactions server-side where possible is considered best practice”

https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

Thank you so much for clarifying!

Mauri · September 14, 2021, 6:43am

Also, searching the name in that email brings up quite a few entries that confirm the legitimacy - eg. this and this one.

albert8716 · September 30, 2021, 4:43am

We also received this message even though we are already using server-side validation.

We are doing: purchase → success → local validation (Unity IAP Validator) → server validation → server unlocks content.

Does this mean we don’t have an issue? We assume we were notified because we are also using the local validation first
Is there any reason for us to do the local validation (as we are validating with the server anyway)?

We implemented it based on the example project but we note there’s no local validation in this diagram:
https://docs.unity3d.com/Packages/com.unity.purchasing@3.1/manual/UnityIAPProcessingPurchases.html?_ga=2.154921272.1425503656.1632354011-576983215.1551664329

Or in this description of server validation:

Many thanks,
Albert

Voxel-Busters · September 30, 2021, 8:51am

Always validate your receipts on your backend server to be fail proof!

JeffDUnity3D · September 30, 2021, 1:26pm

No solution, even on the server, is fail proof.

JeffDUnity3D · September 30, 2021, 1:27pm

albert8716:

We also received this message even though we are already using server-side validation.

We are doing: purchase → success → local validation (Unity IAP Validator) → server validation → server unlocks content.

Does this mean we don’t have an issue? We assume we were notified because we are also using the local validation first

Is there any reason for us to do the local validation (as we are validating with the server anyway)?

We implemented it based on the example project but we note there’s no local validation in this diagram:
https://docs.unity3d.com/Packages/com.unity.purchasing@3.1/manual/UnityIAPProcessingPurchases.html?_ga=2.154921272.1425503656.1632354011-576983215.1551664329

Or in this description of server validation:
https://docs.unity3d.com/Manual/UnityIAPValidatingReceipts.html

Many thanks,
Albert

More validation would never hurt! But typically if you are doing server side validation, local validation is not needed

Voxel-Busters · September 30, 2021, 1:35pm

I see. Wasn’t aware of the hacks even with server validation.

Topic		Replies	Views
Huge unverified IAP Revenue Unity Services Unity-In-App-Purchases	5	1534	February 1, 2021
Android IAP possible users hacking purchases somehow? Questions & Answers legacy-topics	1	1656	March 4, 2016
Unity IAP - failed purchases!!! Unity Services Unity-In-App-Purchases	2	1039	October 9, 2018
Problem with IAPs (duplicating on Android and bypassing receipt check on IOS) Unity Services Unity-In-App-Purchases	16	2106	October 13, 2020
[Solved] [Android] Fraudulent purchase Unity Services Unity-In-App-Purchases	1	1134	January 18, 2017

Possible Scam: Received an email regarding faulty Unity IAP

Related topics